Agent Skillslawve-ai/awesome-legal-skills › skill-security-auditor

skill-security-auditor

GitHub

用于在安装前对AI代理技能进行静态安全审计,检测代码执行、网络外泄等十类威胁并给出通过/警告/失败结论。

skills/skill-security-auditor-antoine-louis/SKILL.md lawve-ai/awesome-legal-skills

Trigger Scenarios

安装第三方技能或插件前 询问技能是否安全时 CI流水线审核用户提交的技能 克隆技能仓库后首次运行前

Install

npx skills add lawve-ai/awesome-legal-skills --skill skill-security-auditor -g -y
More Options

Use without installing

npx skills use lawve-ai/awesome-legal-skills@skill-security-auditor

指定 Agent (Claude Code)

npx skills add lawve-ai/awesome-legal-skills --skill skill-security-auditor -a claude-code -g -y

安装 repo 全部 skill

npx skills add lawve-ai/awesome-legal-skills --all -g -y

预览 repo 内 skill

npx skills add lawve-ai/awesome-legal-skills --list

SKILL.md

Frontmatter
{
    "name": "skill-security-auditor",
    "metadata": {
        "author": "Dr. Antoine Louis",
        "license": "agpl-3.0",
        "version": "2026-05-12"
    },
    "description": "Audit an AI agent skill before installing it. Use proactively whenever the user is about to add, install, enable, or evaluate an unfamiliar skill — including phrases like \"audit this skill\", \"is this skill safe\", \"scan skill before install\", \"check skill for malicious code\", \"review this plugin\", or any pre-install gate on an untrusted, third-party, or community-distributed skill bundle. Runs ten categories of static checks (code execution, network exfiltration, credential harvesting, persistence, prompt injection, supply-chain hooks, obfuscation, destructive filesystem ops, secrets, Trojan Source \/ homoglyphs) and emits a PASS \/ WARN \/ FAIL verdict."
}

Skill Security Auditor

Static analysis for AI agent skills. Run it on any skill from outside your own trust boundary before letting an agent execute its scripts. The auditor walks the entire skill directory and emits findings across ten threat categories, then collapses them into a single verdict that CI can gate on.

This skill is paranoid by design. It assumes a skill author may be trying to compromise the host system, exfiltrate credentials, persist beyond the session, or inject hostile instructions into the model. Most skills will trip a couple of LOW or MEDIUM findings — that's expected. The signal worth acting on is CRITICAL and HIGH.

When to use

Trigger this skill when the user:

  • Is about to install a third-party skill, plugin, or agent extension.
  • Asks "is this skill safe?", "audit it", "scan it", "is there anything sketchy in here?", or similar pre-install review questions.
  • Wants a security gate on a skill marketplace, internal skill registry, or CI pipeline that ingests user-submitted skills.
  • Just cloned a skill repo and wants a one-shot review before running it.

Do not use this skill when the user is auditing their own first-party code — there are better static-analysis tools (Semgrep, Bandit, CodeQL) for that. This skill specializes in the specific attack surface of AI agent skills: SKILL.md prompt injection, malicious tool helpers, supply-chain hooks in dependency manifests, and persistence mechanisms that survive the agent session.

Quick start

# Audit a local directory
python3 scripts/audit.py /path/to/skill

# Audit a git repo (cloned to a temp dir, optionally cleaned up after)
python3 scripts/audit.py https://github.com/example/some-skill.git --cleanup

# Strict mode — treat HIGH findings as blocking (recommended for CI)
python3 scripts/audit.py ./skill --strict

# Machine-readable output for CI
python3 scripts/audit.py ./skill --json --output report.json

# Markdown report suitable for pasting into a PR comment
python3 scripts/audit.py ./skill --markdown --output review.md

# Audit a sub-skill inside a repo containing several
python3 scripts/audit.py ./repo --skill skills/my-skill

Exit codes: 0 PASS · 1 FAIL · 2 WARN · 3 usage/IO error.

What gets scanned

Every file under the skill root is classified and routed to the appropriate scanner. The categories below summarize what each scanner looks for; references/threat-model.md covers the why in depth.

Category Severity span Examples
Code execution HIGH–CRITICAL eval, exec, os.system, subprocess(shell=True), dynamic getattr
Network exfil MEDIUM–CRITICAL hardcoded IPs, webhook sinks (webhook.site, ngrok, interact.sh), requests.post to runtime URLs
Credential harvest HIGH–CRITICAL reads from ~/.ssh, ~/.aws, ~/.gnupg, sensitive env vars, browser cookie DBs
Persistence HIGH–CRITICAL cron, systemd, launchctl, shell rc files, git hooks, authorized_keys, registry Run keys
Prompt injection MEDIUM–CRITICAL "ignore previous instructions", role markers, <|im_start|>system, hidden HTML comments
Supply chain MEDIUM–CRITICAL unpinned deps, typosquats (Levenshtein 1–2 from popular packages), npm postinstall hooks
Obfuscation MEDIUM–HIGH base64-decoded code, chr(...) chains, hex-escape blobs, Bidi / Trojan Source
Filesystem LOW–CRITICAL binaries, symlinks escaping the skill, SUID bits, writes to /etc, rm -rf patterns
Secrets HIGH–CRITICAL AWS keys, GitHub tokens, OpenAI/Anthropic keys, private key headers, JWTs
CI workflow HIGH–CRITICAL unescaped ${{ github.event.* }} in run:, pull_request_target with checkout

The scanners run in this order: structure → filesystem → supply-chain → workflows → prompts → code. A malformed skill surfaces the structural issue first instead of drowning the reviewer in cascade findings.

Verdict criteria

The verdict is a three-state collapse of the findings:

  • PASS — no CRITICAL, no HIGH, fewer than 5 MEDIUM. LOW findings are informational and do not affect the verdict.
  • WARN — at least one HIGH (in default mode), or 5+ MEDIUM. Means: a human should look at this before installing, but nothing is definitely malicious.
  • FAIL — at least one CRITICAL, or any HIGH in --strict mode. Means: do not install. Either there's a clear malicious pattern, or there's something that needs explanation from the skill author before it can be trusted.

For automated gates, run with --strict. The default (non-strict) mode is for interactive review where a human is in the loop.

Reading a finding

Each finding has the same shape:

🔴 CRITICAL  (3 findings)
────────────────────────────────────────────────────────────────────────
scripts/install.py
  scripts/install.py:42  [CODE-EXEC]
    │ os.system(base64.b64decode(payload).decode())
    Risk: Decodes and executes a base64-encoded payload at runtime
    Fix:  Remove. Skills must not execute arbitrary decoded strings.
  • The category tag (CODE-EXEC) is stable across runs — use it to build baseline rules or filter in CI.
  • The snippet is the trimmed source line (max 140 chars). Long lines are truncated with ....
  • The risk and fix fields are one sentence each, deliberately short so a reviewer can triage 20 findings in under a minute.

Suppression

Two suppression mechanisms exist, intentionally orthogonal:

1. Line-level (# noqa: SEC-AUDITOR) — when a legitimate skill genuinely needs a flagged pattern. Add the marker as a trailing comment on the line:

import pickle  # noqa: SEC-AUDITOR — internal-only cache, never deserialized from network

Equivalent markers auditor:ignore-line and audit-skip also work. Lines with any of these markers are skipped during scanning.

2. Baseline file (fingerprint suppression) — for accepting findings without modifying source. Each finding has a stable 16-char fingerprint derived from sha256(file + snippet + pattern + category) — line numbers don't matter, so the fingerprint survives reformatting and reordering.

Get fingerprints from a JSON run:

python3 scripts/audit.py ./skill --json | jq '.findings[] | {fingerprint, category, file}'

Then commit a baseline.yml:

suppressions:
  - fingerprint: a1b2c3d4e5f60718
    reason: reviewed 2025-04-30, internal HTTP call to corporate API
  - fingerprint: 0123456789abcdef
    reason: false positive in vendored library, see ticket SEC-441

And run with --baseline baseline.yml. See assets/baseline.example.yml for the full schema.

CI integration

GitHub Actions, gated on CRITICAL findings, opening a PR comment on WARN:

name: Skill security audit
on: [pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: '3.11' }
      - name: Clone auditor
        run: git clone https://github.com/your-org/skill-security-auditor.git /tmp/auditor
      - name: Run audit
        id: audit
        run: |
          python3 /tmp/auditor/scripts/audit.py . \
            --strict \
            --markdown \
            --output audit-report.md
        continue-on-error: true
      - name: Post review comment
        if: always()
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const body = fs.readFileSync('audit-report.md', 'utf8');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body
            });
      - name: Fail on critical
        if: steps.audit.outcome == 'failure'
        run: exit 1

For pre-commit, just call the auditor directly:

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: skill-audit
        name: skill-security-auditor
        entry: python3 scripts/audit.py
        args: [--strict, --quiet]
        language: system
        pass_filenames: false
        always_run: true

References

Detailed reading lives in the references/ directory:

  • references/threat-model.md — Full taxonomy of attacks a malicious skill can mount, with concrete examples per category. Read this if you're writing a new pattern or evaluating whether the auditor covers a given attack scenario.
  • references/pattern-catalog.md — Complete list of every pattern the auditor recognizes, grouped by category, with example malicious source and the regex that catches it.
  • references/remediation-guide.md — How to fix each finding category. Linked from the fix field when guidance doesn't fit in one line.

Limitations

Stated honestly because security tools that pretend to be exhaustive are worse than ones that admit gaps:

  • No taint tracking. The auditor sees requests.post(url, data=secret) and flags it, but it doesn't trace whether url came from a trusted config. False positives are accepted as the cost of catching real exfiltration.
  • No dynamic analysis. A skill that downloads its payload at runtime from a CDN with no suspicious-looking hardcoded URL won't be caught here. Pair this with sandboxed execution and network monitoring.
  • Pattern arms race. Obfuscation techniques evolve; a determined attacker will find ways around any static check. CRITICAL findings are reliable; HIGH and MEDIUM are pattern matches that benefit from human eyes.
  • Python AST coverage only. JS/TS/shell get regex coverage but no AST pass, so aliased-import attacks in those languages are weaker checks.
  • No reputation data. This is a pure static analyzer — no calls to package registries or threat-intel feeds. Combine with pip-audit / npm audit for known-CVE coverage.

Why this exists

Skills run with the agent's full execution capability. A compromised skill can read your credentials, exfiltrate your data, persist on your system, or inject hostile instructions into the model that survive across conversations. Software that ingests untrusted code without static review is software that gets owned. This skill is the static review.

Version History

  • 7f58aaf Current 2026-07-05 11:54

Same Skill Collection

skills/assignation-refere-recouvrement-creance-selim-brihi/SKILL.md
skills/canned-responses-anthropic/SKILL.md
skills/compliance-anthropic/SKILL.md
skills/contract-review-anthropic/SKILL.md
skills/contract-risk-analyzer-sneha-ganapavarapu/SKILL.md
skills/docx-processing-lawvable/SKILL.md
skills/docx-processing-openai/SKILL.md
skills/docx-processing-superdoc/SKILL.md
skills/dpdpa-gdpr-review-parth-desai/SKILL.md
skills/dpia-sentinel-oliver-schmidt-prietz/SKILL.md
skills/eu-ai-act-report-oliver-schmidt-prietz/SKILL.md
skills/eu-ai-act-roles-oliver-schmidt-prietz/SKILL.md
skills/eu-ai-act-triage-oliver-schmidt-prietz/SKILL.md
skills/french-text-proofreading-christophe-quezel-ambrunaz/SKILL.md
skills/icelandic-company-formation-magnus-smari-smarason/SKILL.md
skills/icelandic-contract-review-magnus-smari-smarason/SKILL.md
skills/icelandic-court-case-finder-magnus-smarason/SKILL.md
skills/icelandic-eea-gap-analysis-magnus-smari-smarason/SKILL.md
skills/icelandic-labour-law-magnus-smari-smarason/SKILL.md
skills/icelandic-legal-terminology-magnus-smari-smarason/SKILL.md
skills/icelandic-privacy-review-magnus-smari-smarason/SKILL.md
skills/legal-data-hunter-zacharie-laik/SKILL.md
skills/legal-risk-assessment-anthropic/SKILL.md
skills/lgpd-sentinel-rafael-mastronardi/SKILL.md
skills/mcq-generator-christophe-quezel-ambrunaz/SKILL.md
skills/meeting-briefing-anthropic/SKILL.md
skills/nda-review-jamie-tso/SKILL.md
skills/nda-triage-anthropic/SKILL.md
skills/notification-licenciement-selim-brihi/SKILL.md
skills/outlook-emails-lawvable/SKILL.md
skills/outside-counsel-billing-and-performance-reviewer-carl-ditzler/SKILL.md
skills/pdf-processing-anthropic/SKILL.md
skills/pdf-processing-openai/SKILL.md
skills/politique-confidentialite-malik-taiar/SKILL.md
skills/politique-cookies-malik-taiar/SKILL.md
skills/politique-lanceur-alerte-malik-taiar/SKILL.md
skills/privilege-sentinel-emily-cabrera/SKILL.md
skills/requete-cph-licenciement-faute-grave-selim-brihi/SKILL.md
skills/security-review-openai/SKILL.md
skills/skill-creator-anthropic/SKILL.md
skills/skill-creator-openai/SKILL.md
skills/skill-optimizer-lawvable/SKILL.md
skills/swiss-legal-source-authority-triage-enrique-g-zbinden/SKILL.md
skills/tabular-review-lawvable/SKILL.md
skills/tech-contract-review-parth-desai/SKILL.md
skills/vscode-extension-builder-lawvable/SKILL.md
skills/xlsx-processing-manus/SKILL.md
skills/xlsx-processing-openai/SKILL.md
skills/ai-governance-reviewer-carl-ditzler/SKILL.md
skills/analyse-rgpd-dpa-fournisseur-hugo-salard/SKILL.md
skills/assignation-refere-communication-associe-selim-brihi/SKILL.md
skills/audit-de-conformite-rgpd-site-internet-hugo-salard/SKILL.md
skills/bacen-compliance-sentinel-rafael-mastronardi/SKILL.md
skills/billable-time-stephane-boghossian/SKILL.md
skills/billing-cycle-manager-scott-margetts/SKILL.md
skills/budget-and-fee-manager-scott-margetts/SKILL.md
skills/climate-aligned-contracts-tclp/SKILL.md
skills/collaboration-platform-advisor-scott-margetts/SKILL.md
skills/continuous-improvement-engine-scott-margetts/SKILL.md
skills/customs-trade-law-onur-kafkas/SKILL.md
skills/divorce-ct-stephane-boghossian/SKILL.md
skills/doctrinal-research-allison-fiorentino/SKILL.md
skills/document-approval-tracker-scott-margetts/SKILL.md
skills/docx-processing-anthropic/SKILL.md
skills/employment-law-research-yue-deng-wu/SKILL.md
skills/en-us-legal-translation-wouter-van-den-berg/SKILL.md
skills/engagement-terms-billing-guidelines-scott-margetts/SKILL.md
skills/eu-ai-act-classification-oliver-schmidt-prietz/SKILL.md
skills/eu-ai-act-high-risk-implementation-readiness-werner-plutat/SKILL.md
skills/eu-ai-act-obligations-oliver-schmidt-prietz/SKILL.md
skills/eu-data-act-compliance-assessment-werner-plutat/SKILL.md
skills/eu-data-act-ryan-malek/SKILL.md
skills/fee-arrangement-structuring-scott-margetts/SKILL.md
skills/flash-case-law-research-giovanna-panucci/SKILL.md
skills/fria-eu-ai-act-article-27-werner-plutat/SKILL.md
skills/gdpr-breach-sentinel-oliver-schmidt-prietz/SKILL.md
skills/gdpr-privacy-notice-eu-oliver-schmidt-prietz/SKILL.md
skills/https-www-lawvable-com-en-author-patrick-munro-2/SKILL.md
skills/https-www-lawvable-com-en-author-patrick-munro-3/SKILL.md
skills/https-www-lawvable-com-en-author-patrick-munro/SKILL.md
skills/indian-foreign-investment-approval-assessment-siddhi-kudalkar/SKILL.md
skills/invoice-review-compliance-scott-margetts/SKILL.md
skills/judicial-first-impression-larissa-meredith-flister/SKILL.md
skills/jurisrank-argentine-supreme-court-analysis-adrian-lerer/SKILL.md
skills/lawyerscrib-garry-haas/SKILL.md
skills/legal-assistant-christophe-quezel-ambrunaz/SKILL.md
skills/legal-document-drafting-formatting-alessandro-dardano/SKILL.md
skills/legal-guidance-vault-michael-cremata/SKILL.md
skills/legal-risk-assessment-zacharie-laik/SKILL.md
skills/legal-simulation-patrick-munro/SKILL.md
skills/legal-translation-uk-english-wouter-van-den-berg/SKILL.md
skills/legitimate-interest-oliver-schmidt-prietz/SKILL.md
skills/litigation-deadline-calendar-dave-marcus/SKILL.md
skills/local-counsel-manager-scott-margetts/SKILL.md
skills/mandarinat-christophe-quezel-ambrunaz/SKILL.md
skills/mandatory-verification-larissa-meredith-flister/SKILL.md
skills/matter-allocation-instruction-scott-margetts/SKILL.md
skills/matter-intake-scoping-scott-margetts/SKILL.md
skills/matter-plan-builder-scott-margetts/SKILL.md
skills/mediation-dispute-analysis-jinzhe-tan/SKILL.md
skills/new-designation-screening-test-amir-fadavi/SKILL.md
skills/nil-contract-analysis-samir-patel/SKILL.md
skills/nis2-navigator-oliver-schmidt-prietz/SKILL.md
skills/nist-ai-rmf-rafal-fryc/SKILL.md
skills/opposing-counsel-review-larissa-meredith-flister/SKILL.md
skills/oral-argument-stephane-boghossian/SKILL.md
skills/originality-in-european-copyright-joris-deene/SKILL.md
skills/panel-design-selection-scott-margetts/SKILL.md
skills/panel-review-rationalisation-scott-margetts/SKILL.md
skills/performance-scorecard-scott-margetts/SKILL.md
skills/persuasive-legal-writing-larissa-meredith-flister/SKILL.md
skills/pptx-processing-anthropic/SKILL.md
skills/raisonnement-juridique-amaury-fouret/SKILL.md
skills/recherche-theses-allison-fiorentino/SKILL.md
skills/red-team-verifier-patrick-munro/SKILL.md
skills/resource-planner-scott-margetts/SKILL.md
skills/rfp-pitch-management-scott-margetts/SKILL.md
skills/risk-and-issues-manager-scott-margetts/SKILL.md
skills/sanctions-screening-gillan-saleh/SKILL.md
skills/sanctions-screening-legal-analysis-skill-english-gillan-saleh/SKILL.md
skills/scope-change-controller-scott-margetts/SKILL.md
skills/screening-alert-adjudication-amir-fadavi/SKILL.md
skills/skill-injection-defense-ignacio-adrian-lerer/SKILL.md
skills/source-locked-verification-larissa-meredith-flister/SKILL.md
skills/stakeholder-comms-planner-scott-margetts/SKILL.md
skills/status-report-drafter-scott-margetts/SKILL.md
skills/statute-analysis-rafal-fryc/SKILL.md
skills/tech-contract-negotiation-patrick-munro/SKILL.md
skills/timeline-generator-scott-margetts/SKILL.md
skills/vendor-due-diligence-patrick-munro/SKILL.md
skills/victor-wang-yc-saas-drafter/SKILL.md
skills/xlsx-processing-anthropic/SKILL.md

Metadata

Files
0
Version
7f58aaf
Hash
44f68d2f
Indexed
2026-07-05 11:54

Accueil - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-09 03:28
浙ICP备14020137号-1 $Carte des visiteurs$